Asymmetric Threat 4 Paper

D E A L I N G W I T H T O D A Y ’ S A S Y M M E T R I C T H R E AT
Cyber Threats
to National Security
Countering Challenges to the
Global Supply Chain

This document is intended only as a summary of the personal remarks made by participants at
the March 2, 2010 symposium, “Cyber Threats to National Security, Symposium One: Countering
Challenges to the Global Supply Chain,” co-sponsored by CACI International Inc (CACI) and the
U.S. Naval Institute (USNI). It is published as a public service. It does not necessarily reflect the
views of CACI, USNI, the U.S. government, or their officers and employees.
July 2010
UNCLASSIFIED
Cyber Threats to National Security
Symposium One: Countering Challenges to the Global Supply Chain
Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …2
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …3
1.1 An Unprecedented Asymmetric Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …3
1.2 The Cyber Challenge to U.S. National Supply Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …4
1.3 National Response to the Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 5
2 Assessing the Cyber Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…6
2.1 The Realities of the Growing Cyber Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …7
2.1.1 The Highly Asymmetric Nature of Cyber Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …7
2.2 Cyber Threats Affect Everyone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …9
2.2.1 Impact on Government . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …10
2.2.2 Impact on the Private Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …10
2.2.3 Impact on Individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …10
2.2.4 Impacts at the International Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …11
3 Securing Supply Chains in the Cyber World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
…1
3.1 Supply Chain Threats and Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …11
3.2 Securing the Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …13
3.2.1 The Information Technology Supply Chain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…13
3.3 Operational Perspectives on Securing the National Security/Defense Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…15
4 The Way Forward: A View From the Hill and Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …17
4.1 Legislative Branch Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 17
4.2 Executive Branch Action: Developing and Defining Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …19
4.2.1 Aligning Agency Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …19
4.2.2 Defining Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…19
4.2.3 The Role of Diplomacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …20
4.3 A Private-Public Partnership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …21
4.4 The Critical Role of Education and Individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 22
5 Findings and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 23
5.1 Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 25
5.2 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …26
5.3 Defining Cybersecurity Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…26
5.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …27
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…28
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…31
© 2010 CACI International Inc UNCLASSIFIED H 1

UNCLASSIFIED
Executive Summary interwoven with those of every nation, both friendly and
hostile to U.S. interests.
In the cyber age, the nature of the supply chain must be re-
The United States is faced with an unprecedented asym- examined. The vast majority of U.S. supply chains rely on
metric threat to its national security, one to which the information technologies to carry out their functions and
public is not yet fully awake. Of increasing importance, processes. At the same time, the convergence of computer
it is a threat to the nation’s vast information assets, net- and communications technologies potentially compromises
works, and systems that operate in cyberspace. Within every information system worldwide. Threats to both pri-
this context, it is critical to look at the cyber threat to the vate and government supply chains are equally affected.
nation’s supply chains. Even as cyber threats mount, it is also clear that solutions to
these threats also reside in the cyber domain. Technologies
Assessing the Cyber Threat that can be turned against a nation can also be the source of
Cyber threats are asymmetric because attacks may be its defense. The U.S. must commit time, funding, and ex-
perpetrated by the few upon the many, with little cost pertise to fully exploring this aspect of cyberspace.
and resources. Cyber attacks are typically anonymous,
launched from any of billions of sources worldwide. The Way Forward
Impacts may be immediate and obvious, or dormant and To enforce cybersecurity of U.S. supply chains, it is nec-
subtle, eluding recognition for years. Degrees of dam- essary for the government and its citizens to engage in a
age can range from inconvenient downtime of personal unique collaborative effort. Every user of a cyber-enabled
systems to the life-threatening destruction of critical in- device has in their hands a point of vulnerability and a
frastructures. source of potential attack, and is a potential cyber warrior.
Cyber threats are growing and will impact everyone. The Congress and the executive branch must engage coopera-
increasing global dependence on technology has only tively in defining roles and responsibilities. Diplomatic
increased vulnerability to it. In turn, increased connectiv- solutions must be explored, and a public-private partnership
ity has exacerbated existing security threats. Developing must develop. Responsibility must be shared among the
an effective and comprehensive national cybersecurity government, the private sector, and every private citizen to
strategy to counter these threats is paramount. protect U.S. cyber assets.
A key component of this strategy will be a capability to
protect U.S. supply chains from mounting cyber threats. Recommendations
Supply chains provide goods and services that are es-
A number of recommendations may be made to advance
sential to the functions of the U.S. government and its
the national understanding of cyber threats in general and
economy, the well-being of Americans, and the support
supply chain threats in particular. The U.S. must:
and protection of American troops worldwide.
1. Ensure the nation is prepared to react to and preempt
Securing Supply Chains cyber attacks;
Historically, U.S. supply chains have been largely im-
2. Make supply chain security part of the establishment
mune to threat because the most critical supply chains
of an overall cyber intelligence capability;
were internal to North America, far from the influence of
foreign actors. This is no longer true in the cyber age. 3. Develop the ability to build a limited number of
During the last 25 years, globalization has increasingly computer and communication systems that are
compromised U.S. supply chain immunity. The world- absolutely certain to be secure; and
wide cyber domain has also become increasingly essential
4. Carry out a sustained strategic communications
to every aspect of governmental, commercial, and per-
campaign to provide the public with a realistic
sonal life. U.S. communications, command, and control
appreciation of the cyber threat.
technologies and capabilities have become inextricably
2 H UNCLASSIFIED © 2010 CACI International Inc

UNCLASSIFIED
1 Introduction 1.1 An Unprecedented

Asymmetric Threat
The U.S. is faced with a great strategic reversal, one
with asymmetric roots grounded in the birth of the
As the United States government develops strategies that
cyber age. Although there is much recognition of the
address the diversity of twenty-first century asymmetric
cyber revolution that has swept the world in recent
threats, CACI International Inc, along with the National
years, the strategic reversal has yet to gain broad public
Defense University (NDU) and the U.S. Naval Institute
appreciation. Like the boiled frog of urban legend, the
(USNI), organized and presented a series of pro bono
U.S. is in increasingly hot water but has not yet fully
symposia to contribute to the national discourse on
awakened to its predicament.
this topic.1 These symposia examined and defined the
asymmetric threat; explored the key elements of a The idea that cyber attack is an increasing threat to the
revised national security strategy; and helped articulate U.S. ability to pursue its national security objectives,
the framework for implementing “smart power” – the at both the strategic and tactical levels, emerged in the
balanced synthesis of hard and soft power. late 1990s. That the cyber threat might be a threat to
the success of the nation, however, is not yet broadly
A new symposium series has now begun on the topic of
recognized in American society.2 The first Gilmore
cyber threats. The first in this series, Cyber Threats to
Commission Report in 1998 had the briefest mention of
National Security – Countering Challenges to the Global
the cyber threat; the 2000 report included much more.3
Supply Chain, was co-sponsored by CACI and USNI on
March 2, 2010. It addressed emerging threats in cyber- One of the greatest challenges facing the national secu-
space, with a focus on national supply chains. This re- rity community is communicating the significance of this
port presents a summary of the discussions, findings, and threat to the broader U.S. society. The cyber threat does
recommendations from that symposium. not fit cultural stereotypes associated with past threats.
The problem is exemplified by the continuing controversy
over the treatment of captured terrorists: are they warriors
to be subjected to military justice, or are they criminals to
be subjected to civilian justice? Now consider how dif-
ficult it may be to properly respond to a threat created by a
“techie,” or even a “tech squad,” half a world away.
U.S. warfighting and national security prowess have

relied on the power and remoteness of its industrial
base, secure internal lines of communications, and
overwhelming logistics power.4 Today, the convergence
of computer and communications technologies has
brought America’s remotest regions into a cyber domain
in which everything is potentially connected at the
speed of light. Now and for the foreseeable future, cyber
The convergence of communications and computer technologies has
attack, when integrated with hard and soft power, can
brought with it the unprecedented potential to undermine U.S. national threaten America’s national security in ways that are
security through cyber attacks at any point in the global cyber domain. truly unprecedented. This has profound implications for
Graphic courtesy of CACI.
America’s strategic posture.
1 NDU co-sponsored the first symposium on asymmetric threats
and USNI co-sponsored the second two, concluding the series at three. 2 Steven Chabinsky, CACI-USNI symposium comments.
Published reports from these symposia can be found at 3 Hon. James Gilmore, CACI-USNI symposium comments.
http://asymmetricthreat.net. 4 General William Wallace, CACI-USNI symposium comments.

UNCLASSIFIED
“Cybersecurity has the same reach as homeland

1.2 The Cyber Challenge to U.S.
security. It touches everything.” National Supply Chains
– Former Secretary of Homeland Security Tom Ridge The shaping of a U.S. response to cyber threats requires
a strong focus on a key vulnerability: U.S. supply chains.
Cybersecurity plans and programs have been developed
A supply chain is a system of organizations, people, pro-
by the government and have been discussed in industry
cesses, technology, information, and resources. It is or-
for decades. Exacerbating traditional security threats, the
ganized to enable suppliers to develop raw material and
cyber component adds a genuinely new dimension that
natural resources into finished products, and then deliver
obscures the threats and makes the need for action less
goods to their customers. An end-to-end process from
obvious. Consequently, the political will to implement
raw materials to finished goods, the supply chain faces
these plans and programs has not been fully marshaled.
constant threats at every step.
America’s response to the cyber threat has not been to a
level that counters the actions and investments of other U.S. supply chains are threatened as never before.
nation states and cyber threat actors. Historically, supply chains were largely immune
to attack because the most critical processes were
In the early 2000s, there were several high-level efforts to
internal, far from the influence of foreign threats.
elevate the cybersecurity discussion to the national level.
The country’s continental span afforded significant
The Department of Homeland Security (DHS) began
supply chain protection.
development of a national cyber strategy, which laid out
a plan for dealing with cyber crime and terrorism. Among In the last 25 years, however, U.S. supply chain
other initiatives, the Department of Defense (DoD) immunity has been compromised. A worldwide cyber
established the DoD Cyber Crime Center in October 2001. domain has been created in which U.S. communications,
However, while there was progress toward an approach command, and control circuits are interwoven with those
to incorporate cybersecurity into the national psyche, the of friend and foe alike. Through both independent and
threat of cyber attacks remained an esoteric concept that integrated cyber attacks and other asymmetric means,
was not fully comprehensible to most of U.S. society. U.S. supply chains may be at greater risk of significant
disruption than at any point since the Civil War.
This conceptual divide was further deepened by the
terrorist attacks of September 11th. National attention Asymmetric strategies to disrupt or destroy an
turned to the immediate fear that terrorist organizations adversary’s supply chain operations have long been
could physically attack the United States and its citizens. fundamental to U.S. warfighting strategy, one that
Protecting ports of entry and territorial boundaries few adversaries could effectively counter. Likewise,
became paramount. Meanwhile, those who saw protection of American industrial capacity and supply
cyberspace as a means to achieve their ends continued to chains has been a fundamental national priority.
develop capabilities and planned for the eventual use of
cyberspace as a weapon. Today, the tables have turned on the U.S. To some extent,
this has been a result of unintended consequences of its
A comprehensive national strategy that effectively own actions in developing and globalizing Internet tech-
addresses the cyber threat remains to be developed. The nologies. The global reach of the Internet and the perva-
U.S. has had innumerable tactical successes, but the sive interconnection of government and non-governmental
window to develop and implement a national strategy networks leave the U.S. open to a variety of cyber attacks.
is closing and may not remain open much longer. If This includes “cyber manipulation,” which is any infor-
another decade passes without such a strategy, the nation mation operation that results in a compromise of the
may not survive the threat.5 service or product delivered through a supply chain.
5 Chabinsky, op. cit.

UNCLASSIFIED
compromised. Currently, supply chain users around

the world lack the hardware or software assurance
technologies and business processes necessary to have a
better security environment.8
The U.S. government, which sponsored the development

and application of virtually all the technology
innovations that led to the information technology mass
market, itself lacks the resources to address the cyber
threat in a meaningful way.
While the U.S. government is a large user, perhaps

arguably the largest single user, of converged computer
and communications technologies, it is not a big user
on the global scale. For example, a single software
product like Microsoft Windows® sells at least 100
million units a year, but sales to the U.S. government
are likely to be less than 10 percent of annual sales.
Large container ships must not only be physically protected but also safe- Therefore, industry won’t change its technology or
guarded from cyber attacks that could disrupt scheduling and delivery of vital
goods. Image in public domain. processes for a U.S. government agency unless the
government pays for the change.9
Consequently, there are countless weak links in supply
chains associated with computer and communications In addition to the sheer scale of global market forces,
technologies. U.S. adversaries often pick the supply the influence of the U.S. government is diluted by
chain as the first attack vector against the U.S. This may social and political forces. The boundaries between
involve weak points in hardware, software, the architec- countries, companies, and individuals have grown
ture of the Internet, or other communications infrastruc- indistinct. Conflicting loyalties may thwart U.S.
tures that include those used by mobile devices.6 goals. What happens when the U.S. government deals
with global suppliers and makes requests based on
Furthermore, all aspects of supply chains are subject
national security interests – and other governments
to cyber attack or manipulation, including design,
ask for security modifications that conflict with U.S.
manufacturing, transport and delivery, installation, and
requests?10
repair or upgrade.7 There are also numerous avenues
through which attack or manipulation can be carried out. In short, there is a growing threat of cyber attacks,
especially to U.S. and global supply chains. The
Computer and communications supply chains are the
reality of this must become part of both U.S. policy
one thing shared in common by all other supply chains.
and public perception.
In effect, they are the “supply chain of supply chains.”
Nearly all supply chains are dependent on converged
computer and communications technologies. If these are 1.3 National Response to the Threat
compromised, then all supply chains are compromised,
whether they are known to have been attacked or not. The scale, scope, novelty, and complexity of cyber
Furthermore, since the computer and communications threats demand an application of all the instruments of
technologies have replaced their predecessors around the national power, both public and private, if the U.S. is to
world, every supply chain everywhere is, in principle, respond successfully.
6 Chabinsky and Vergle Gipson, CACI-USNI symposium 8 Ibid.

comments. 9 Zalmai Azmi, CACI-USNI symposium comments.
7 Chabinsky, op. cit. 10 Bruce McConnell, CACI-USNI symposium comments.

UNCLASSIFIED
2 Assessing the
The lead role in developing and enacting U.S.
cybersecurity policy is shared by the legislative and
executive branches of government. A concerted response Cyber Threat
by these branches will strengthen legal authorities,
establish and clarify roles and responsibilities, and
change public perceptions. Looking at the cyber threat environment, it is clear that
adversaries of the U.S. have compromised the nation’s
Congress must consider a number of factors in
interests. The computers of the nation’s own citizens are
enacting legislation specifically focused on improving
infected with malicious software and unwittingly being
cybersecurity. It must establish a U.S. capability to
used against U.S. interests. The federal government is
monitor emerging technologies and rapidly respond
constantly under attack. U.S. critical infrastructure is being
to threats from any source. It must tailor legislation to
targeted and explored by adversaries on a daily basis.11
the executive agencies in which these capabilities will
reside and be implemented. Budget constraints must The Center for Strategic and International Studies
be considered, while Constitutional limits of federal (CSIS) found that more than 50 percent of businesses
power and the rights of local and state governments are operating critical infrastructure, including electrical
respected. Privacy and other individual rights also must grids and gas and oil supplies, have experienced cyber
not be infringed. attacks at a cost of millions of dollars each day, posing a
significant threat to essential services.12
The President must continue to make cybersecurity
a national priority, and executive branch policy must While the U.S. has been preoccupied discussing the
clarify and define agency roles and responsibilities. implications of security in the modern, connected,
Executive policy should include increasing efforts high-bandwidth world, its adversaries have been busy
to define a common and clearly understood lexicon developing exploitative technologies and learning
of cyber domain and cybersecurity terminology.
Presidential guidance and directives will continue Ten Countries Most Frequently
United States
to be vital in helping federal agencies establish Targeted by Cyber Attacks
complementary and collaborative strengths in supporting In 2009, the U.S. was the target of more malicious cyber
U.S. national security. activity than any other nation. Graphic courtesy of CACI
based on data from Symantec Corporation.
Because cyber threats are international in scale and
scope, global coordination and cooperation are essential.
The executive branch must therefore also formulate
China
and execute diplomatic initiatives complementary to
United Kingdom
domestic actions.
Germany
Brazil
The government also needs to work closely with

India
Poland
Russia
the private sector for a truly comprehensive cyber

Spain
Italy
response. The private sector is the source of most cyber

technologies and products and owner of many of the
systems under greatest threat.
Finally, the government must commit to a strategic

communications initiative that ensures every American 11 According to the security software maker Symantec, in 2009, for
understands the true nature of cyber threats and takes a the second year in a row the U.S. was the victim of more malicious
personal stake in cybersecurity. Only when the public cyber activity than any other country in the world, suffering 19
is fully informed, and acting on that knowledge, can percent of all global attacks. See Symantec Global Internet Security
Threat Report, Trends for 2009, Volume XV, published April 2010.
government initiatives truly move forward. 12 Hon. Tom Ridge, CACI-USNI symposium comments.

UNCLASSIFIED
from experience. They are fully capable of operating misdirected service. They can be obvious, immediately
offensively within cyberspace. The globalization identified events; backdoors that become effective only
of manufacturing products in the information and when a specific set of events occurs in the future; or
communications sectors means that the U.S. and other events that are timed to occur in the future. Not only
highly developed countries, including all the G20 can these attacks immediately disrupt the flow of the
members, are dependent on newly emerging producers goods and services to the warfighter, they can also take
of technology in this space. down entire networks.
The U.S. now finds itself more reliant than ever on By 2017, it is expected that Chinese investment in
converged computer and communications technologies, information technology will surpass that of the U.S. by
more so than almost any other country. While benefiting 5 percent.15 What are U.S. institutions doing to counter
from the efficiencies these technologies bring, the U.S. is this threat? How can DoD develop awareness of the
simultaneously in an increasingly defensive posture with cyber threat in its training, war gaming, simulation, and
adversaries that have identified cyber warfare as the new officer development?
asymmetric weapon of choice.
2.1.1 The Highly Asymmetric Nature
America’s adversaries have come to realize that the very
of Cyber Threats
efficiencies provided by information technology, the very
technologies that enable all modern societies to thrive, During the 1990s, the growing prominence of the infor-
can also be used to efficiently undermine U.S. security. mation technology mass market and the Internet drew
increasing attention to the potential for and emergence of
2.1 The Realities of the Growing new forms of asymmetrical warfare. Experts began to rec-
ognize that converged, networked information technology
Cyber Threat and communications systems reinforced other technical
advances to empower individuals and small groups in un-
The battlespace has changed. Notwithstanding Sun Tzu’s precedented ways that could challenge even the power of
recommendation to “know thy enemy,” the U.S. is no the United States.16
longer dealing with a single known enemy, or even a
handful of known enemies, on known battlefields.13 Cyber actors, from individuals, to criminal groups, to
rogue states and terrorists, can today easily combine to
Instead, the U.S. is dealing with hundreds, even launch a customized cyber threat.
thousands, of attacks daily. They come from known and
unknown adversaries, attacking from multiple entry • Individuals. At the lowest end of the threat spectrum
points. Attacks can come from solitary hackers, inside are uncoordinated individuals acting on their own.
and outside the network, inside and outside U.S. borders, Although some individual actors are highly intelligent
and be intentional as well as unintentional. There are and may pose a risk to systems, their motivation is
also large-scale, coordinated attacks from friendly and often limited to achieving personal satisfaction or
unfriendly countries all over the globe. recognition based on the disruption they hope to cause.
The limited level of resources available to individuals
The highest rate of cyber attacks on U.S. networks – reduces the risk posed by this class of threat.
perhaps surprisingly – is from within the United States.
China is second, and Spain is third.14
15 Ibid.
These attacks are manifested in the form of system 16 Among the analyses that first recognized these possibilities are
John Arquilla, David Ronfeldt, and Michele Zanini, “Networks,
crashes, denials of service, counterfeiting, corrupted Netwar, and Information Age Terrorism,” in Zalmay Khalilzad,
or stolen data, material theft, delivery delays, and John P. White, Andrew W. Marshall (eds.), The Changing Role of
Information in Warfare (Santa Monica, CA: RAND Corporation,
13 Azmi, op. cit. 1999); and Martin Shubik, “Terrorism, Technology and the
14 Ibid. Socioeconomics of Death,” Comparative Strategy, 1997.

UNCLASSIFIED
• Corporations. Industrial espionage has developed in

cyberspace as a way to maximize investment – or deny
others the fruit of their efforts. Whether conducted by
otherwise legitimate corporations, or any of the other
classes of cyber actors mentioned here, industrial
espionage undermines fair business practices and is
often supported by nation states as a means to advance
their societal capabilities and industrial base with little
investment. Corporate actors are also difficult to pin
down because assets may be compromised from both
inside and outside the corporation.
• Criminals and Criminal Enterprises. Many threats in Are Americans ready for cyber attacks that can disrupt the delivery of
cyberspace are motivated by personal financial gain essential goods and services? Graphic courtesy of CACI.
or related to criminal acts of vandalism. Criminals and cyber-summit. In the anonymity of cyberspace, common
criminal enterprises within cyberspace have become cause can be found, plans made, and actions coordinated
more organized, including highly organized rings that and taken. The attackers may have never met in person,
traffic in personal information, credit cards, identities, before, during, or after the attack. Attacks can be directed
and other information with value. In many cases, against individuals, corporations, governments, or against
criminal software and hardware development capabilities any combination thereof.
rival those of software and hardware industry leaders.
A commonly used mechanism to describe the degree to
• Terrorists. Because cyberspace offers anonymity, which a system is vulnerable is to describe the “surface
terrorist organizations have begun to use the Internet area” that is exposed to threat. With the many systems
as a key tool to support recruitment, funding, and connected to the Internet, cyberspace exposes a vast
organization goals. Cyberspace provides an easy surface area with innumerable vulnerabilities that a threat
way to fund terrorist activities and transfer resources may exploit.
through anonymous online transactions. It also
provides the means to transfer knowledge and There are literally billions of points from which an attack
provide command and control to support the terrorist can be launched using ordinary technology available
organization. Unlike criminal enterprises, because almost anywhere to anyone. Any software technology
motivations are not driven entirely by greed, terrorist that cannot be found for download on the Internet can be
activities are more difficult to counter. obtained through black or gray market channels. Other
assets, like botnets, can be rented over the Internet.17
• Nation States. Nation states have long recognized
the value of information systems as critical elements The asymmetries of converged computer and communi-
of good governance practice, but they have also been cations technologies available to cyber actors are espe-
used to subvert other nation states’ security. In the cially striking. Beyond an Internet-connected computer,
national security arena, computing systems have the cyber attackers’ marginal technical and operational
long been used to break encrypted messages and resource requirements are low. The barriers of entry to
disrupt communications and command and control cyber actors at all levels of organization are low. The
systems. Because identities are difficult to trace in cost of exploits is low. The cost of launching attacks is
the cyber domain, it is difficult to determine the low. The cost of failure or getting caught is also low.
nation state behind a given attack.
17 A botnet (“robot network”) may be described as a collection of
networked and compromised computers under the remote command and
As far as these cyber actors are concerned, the same
control of a criminal adversary. “Over 1 Million Potential Victims of Botnet
converged computer and communications technologies Cyber Crime,” FBI Press Release, June 13, 2007. Accessed at http://www.
that enable any cyber threat also facilitate a virtual fbi.gov/pressrel/pressrel07/botnet061307.htm on May 25, 2010.

UNCLASSIFIED
As society becomes better at protecting information • There are asymmetries in the education needed to
technology assets, attackers will look to identify more attack/manipulate vs. protect and defend due to
cost-effective means to carry out their attacks. In the the easy availability of technologies in the global
case of specific, well-protected systems, attackers may marketplace.
already be looking to the supply chain as a potential
vulnerability vector. For a nation state, targeting an • There are major cost asymmetries.18
individual supply chain of a weapons system or a system The highly opportunistic and enigmatic nature of cyber
not connected to the Internet may be the only cost- threats is unlikely to change any time soon.
effective way to affect the balance of power in its favor.
Consider the following scenario. In order to target a spe- 2.2 Cyber Threats Affect Everyone
cific system, the attacker must generally do one of two
things: identify vulnerabilities to establish a foothold and It is clear that the impact of an attack through and on
gain privileged access to the computing resources of the cyberspace will affect all aspects of society. Modern societies
system, or overload the system to cause it to malfunction. are dependent on technology in general and cyberspace
in particular for providing safety and security through the
Ubiquitous vulnerabilities present a great opportunity to effective delivery of essential goods and services.
disrupt systems. The majority of vulnerable systems in
cyberspace are personal workstations or other systems Cyberspace also has become an enabling medium
that have limited value, except to the individual that for communications within society and between the
regularly uses the computer. government and constituents. As modern society
develops, additional cyber capabilities will be adopted,
However, attackers have found ingenious ways to exploit including electronic voting and other technical processes
these low-value computers. Attackers aggregate large groups that will be critical to society’s function in ways that
of such computers into botnets that can be used to overload may be unimaginable today.
systems. The development of botnets by an attacker also
may be a preliminary stage of a larger attack to come.
The amount of damage that can be done by a cyber

attack is, then, highly likely to be greater than the cost of
the resources required to plan, develop, and execute the
attack. While attacks on specific, well-protected systems
may require a much larger investment and may be less
asymmetric, cyber attacks generally tend to be highly
asymmetric, offering attackers an extremely high return
on their investment.
Among other important asymmetries associated with the

cyber threat are these:
• Defenders need to be successful always and

everywhere, usually at high cost, while attackers
need to be successful only occasionally. Criminal-controlled robot networks, or “botnets,” in which computers are
infected with malicious software that allows them to be controlled by a remote
• Governments are slow to respond, lacking agility operator, represent a growing cybersecurity threat. Graphic courtesy of CACI.
compared with asymmetric cyber actors.
18 For example, consider the recent disclosure that unencrypted video
• The pace of technical change is great and funded by signals from American unmanned aerial vehicles (UAVs) have been
intercepted with software available over the Internet for less than $30. The
the ever-growing mass market. cost of retrofitting the UAVs with encryption technology is much greater.

UNCLASSIFIED
affect the morale of society through diffuse attacks on

less-than-critical functions. Government must establish
effective programs and processes to counter the effects
of both types of attacks.
2.2.2 Impact on the Private Sector

The private sector plays a key role in cybersecurity and
the security of supply chains. Not only does the private
Malicious code secretly built into a single thumb drive can take down an
entire network. Image in public domain.
sector own and operate 90 percent of the critical infra-
structure, it manages and operates the vast majority of
Today’s world of ever-increasing efficiency is driven the information technology supply chain and other sup-
by the automation and connectivity provided by ply chains supporting the United States. Cyber attacks on
cyberspace. Just as automation and advanced technology the private sector therefore impact society very broadly.
in agriculture improved methods of meeting the needs
of a growing population, the automation provided by At the same time, the government has less leverage
information technology allows society to meet the needs in requiring private sector entities to maintain secure
of a larger population. cyber infrastructures, at least compared to government
control of its own departments and agencies. Protecting
The question is whether society can tolerate the loss of commercial cyberspace may require greater controls, as
automation capabilities for an extended period of time. well as incentives, than are currently in place.
In many ways, the current culture of the United States
has not developed a fully informed appreciation of One important issue is the amount of high-end
the potential effects of a cyber attack on critical social technology devices produced overseas, particularly
processes. Like the transformation in awareness of the in China and other emerging markets. Many basic
reality of terrorism between September 10th and 11th, communications devices, like handheld radios, may
American opinion is in many ways yet to be formed soon no longer be available from U.S. manufacturers.
regarding the consequences of, and responses to, a major Thumb drives made overseas may contain unwanted and
cyber attack. potentially infected software.
2.2.1 Impact on Government Outsourcing data centers to locations abroad is another

questionable practice. It is of great concern that vast amounts
Attacks on government generally take two main forms. of U.S. data are stored or routed by overseas facilities. This
makes vigorous risk mitigation strategies and actions even
Direct attacks on national security seek to undermine
more important in the existing threat environment.
government by degrading its ability to ensure the safety
and security of its constituents. Typically, adversaries 2.2.3 Impact on Individuals
seek to attack critical systems and government functions
to destroy society directly. These attacks may also Individual computer users play an increasing and high-
prevent the U.S. military from communicating with units ly critical role within the cybersecurity environment.
in battle zones or affect the ability to direct an attack by
certain remote assets. Because the U.S. population owns the largest share of
converged computer and communications technologies
Indirect attacks on government manipulate messages in the world, U.S. citizens possess a large pool of poten-
or government information to undermine trust in that tially vulnerable systems that may be surreptitiously co-
government held by citizens, other governments, and opted by botnets. This kind of exploitation increases the
non-governmental organizations. Attacks of this nature complexity of conceptualizing and dealing with cyber
may disrupt or subvert regular programming with attacks because these botnets may be located within U.S.
threatening messages. These types of attacks seek to territorial boundaries and owned by U.S. citizens.

UNCLASSIFIED
3 Securing Supply Chains

Everyone who sits in front of a PC, or uses a smart phone
or other Internet-enabled device, is a potential cyber
warrior. Individuals are either an asset or a liability to the in the Cyber World
security of the systems they and everyone else utilize,
whether in their personal capacity or in their public
capacity as an employee of an organization, a student in Today’s supply chains commonly encompass multi-modal
an educational institution, or in any other societal role. and globalized distribution systems.
That each user may be a cyber warrior is not a matter Supply chains exist within specific marketplaces that are
of dramatic license: it is literally true and easily demon- defined by customer needs, supplier capabilities, and ap-
strable. The recent breaches of Google’s infrastructure plicable regulatory requirements. Many involve critical in-
have been reported as having originated with a single frastructures or other sensitive products or services, making
Google employee in China who, according to press re- it imperative that at every point, repeatable and acceptable
ports, clicked “on a link and connect[ed] to a ‘poisoned’ controls ensure the integrity of the materials being procured,
web site” and “inadvertently permitted the intruders to produced, and distributed. Supply chains themselves can be
gain access to his (or her) personal computer and then to used to transport threats or carry out attacks by adversaries.
the computers of a critical group of software developers
at Google’s headquarters in Mountain View, Calif.”19 It is critical that supply chains be prevented from being
used as amplifiers or enablers for integrated or faceted
2.2.4 Impacts at the International Scale attacks. The interrelationships and dependencies between
supply chains for critical infrastructure and other areas
The recent breaches of Google’s infrastructure are must be well understood.
a powerful reminder that converged computer and
communications technologies are international in scope.
This is both because of globalized businesses like Google, 3.1 Supply Chain Threats
but primarily because the main value of these technologies and Vulnerabilities
is gained when they are connected together in cyberspace.
Supply chain security is generally defined in terms of
Some of the greatest expressions of the cyber threat assured storage and delivery of physical and digital
have been seen in international venues. The attacks goods and services. Yet there is much more to it. It is also
against Estonia in the spring of 2007 illustrate the the application of governance and controls that ensure
extent of international cybersecurity issues. Estonia’s the integrity of the supply chain business process, as
Internet infrastructure was attacked, causing the well as the material and products in the supply chain.
country’s numerous Internet-dependent citizens It uses technical and procedural controls to protect the
problems in carrying out financial transactions, and confidentiality, integrity, and availability of supply chain
preventing the government from carrying out certain systems, processes, and information.
governmental functions.
The consequence is that the impacts on government,

industry, and individuals are replicated in every part of “In the modern world, the supply chain is information.
the world, wherever cyberspace has been extended. The When something has been ordered ... where it’s going
exact scope of the benefits of cyberspace, as well as the to be manufactured and by whom and how much and
threats, varies from locale to locale. In some regions a what specifications ... all are either on the Internet or in
particular benefit or threat is enhanced, diminished, or private data systems that are subject to being hacked
absent, but the overall pattern is invariant. and invaded.”
– Former Virginia Governor James S. Gilmore, III
19 John Markoff, “Cyberattack on Google Said to Hit Password
System,” New York Times, April 19, 2010.

UNCLASSIFIED
There are very few acquisition systems that track an end

item completely through the supply chain, whether it is
the raw materials that electronic components are made
from, the printed circuit boards that are assembled from
the electronic components, or the electronic components
that make up a sub-system. Most program offices,
manufacturers, and vendors see their responsibility
as taking material from their supplier, performing the
operations that they are (contractually or officially)
responsible for, and delivering that product to the next
stage in the supply chain.
Rather than a global systems assessment, the practical

expedient is that the component has simply to work, to
perform as expected. The group that manufactures silicon
chips usually does not know, or really care, whether the
chips are going into a low-power radar amplifier or a
U.S. troops unloading supplies and equipment in southern Afghanistan. Every high-speed computer, as long as they pass their factory
step of the supply chain must be secured to prevent asymmetric threats from
targeting resources that protect and serve U.S. warfighters. Photo courtesy of acceptance test. The manufacturer has little interest if a
Air National Guard. box of silicon chips sits unguarded in a railroad siding
In protecting the supply chain, it is critical to for three weeks. As long as it gets to the next producer in
understand the value of both what passes through the the supply chain by the contractual delivery date, the chip
supply chain as well as the information managed by manufacturer and their customer are content.
the supply chain. Technical information, intellectual
The same is true for the manufacturer of the low-power
property, and production methods must be protected.
amplifier. Along the supply chain, no one may know or
Because industrial espionage targets this type of
care if the amplifier is going on a ship, an airplane, or a
information, it is necessary to ensure there is no
land-based station. No great importance is attached to the
leakage of technical information. The unauthorized
fate of this amplifier once it passes the factory acceptance
modification of technical details can affect the integrity
test and is delivered to the radar manufacturer in accor-
of the products being delivered.
dance with the terms and conditions of the subcontract.
Protection of supply chain processes is also critical. Be-
The fundamental problem is that there are very few
cause the knowledge of the supply chain workflows, func-
individuals or companies that focus on the global end-
tions, review techniques, sampling and audit capabilities,
to-end requirements or security of the supply chain.
and risk management controls can be use to prosecute
Components of all scales are usually considered fungible
effective attacks, processes must be protected from dis-
and, consequently, most suppliers are not paid for
closure. Additionally, the visibility of partner information
ensuring all aspects of quality and security as described
must be balanced with the risks associated with its release.
here. That degree of oversight is most often neither
An adversary targeting partners upstream can have serious
contractually nor culturally their job or their responsibility.
consequences for the integrity of the end product.
Absent detailed, objective knowledge of the entire
How do the U.S. government and the U.S. as a whole
chain, if there is no assessment of the security of all the
allocate resources to assure supply chain security?
suppliers, customers, interfaces, and every link in the
What is the biggest risk? Today, the greatest vulnerability
chain, it is not possible to truly know where security
may be that U.S. supply chains are fragmented.20
investment dollars are going. Very few organizations
20 Lieutenant General Claude “Chris” Christianson, CACI-USNI assess the entire chain for weaknesses, analyze the results,
symposium comments. or support a common outcome.

UNCLASSIFIED
3.2 Securing the Supply Chain chain to maintain return on investment. To ensure
protection is in place to meet the trajectory of the supply
Protecting supply chains will require a widespread effort. chain threat, incentives must be provided to maintain
While the challenge seems daunting, there are several focus on developing controls within the supply chain.
opportunities available.
The financial services sector provides a good example of
Each element in the supply chain must be examined in a the level of effort required to manage these relationships.
consistent, objective fashion, and the resulting data must Service providers employ standardized mechanisms to
be analyzed to determine its status relative to other ele- transmit information on operational and security risk.
ments to create a common picture. Supply chain networks They use standardized processes to continuously audit and
should be designed to maximize their dependence on tech- assess the effectiveness of security controls. This provides
nology for their resilience, minimizing reliance on human early warning of emerging problems by creating visibility
interventions. This is desirable since there are too few into risks in the operating environment.
people to respond quickly enough to every attack.
An even better example comes from the identification of
To maintain resiliency in the face of a highly fluid cyber controls designed to drive up the costs to an adversary
environment, and an only somewhat more stable physical attacking the supply chain. When the cost of attack is
environment, it is necessary to continually monitor and greater than the cost of implementing controls, defenders
adjust the supply chain. Identifying and maintaining the realize a return on investment.
high ground, not clearly defined in the cyber domain,
This use of the supply chain as a deterrent requires a change
requires a solution expressed in terms of Doctrine,
in perspective. Potential returns should be identified and
Organization, Training, Material, Leader Development,
prioritized to support deterrence efforts. Instead of viewing
Personnel, and Facilities (DOTMLPF).21
the supply chain as a target, it may be time to make it a
Establishing a supply chain in this manner permits the cre- useful control point in defending the national interest.
ation of a response framework based on the ISO 28000
It is critical to have an appropriate high-level focus on the
series, the World Customs Organization, the Department of
long-term strategic need for security within all aspects of
Homeland Security Customs Trade Partnership Against Ter-
the systems development lifecycle. A common language
rorism, and similar standards and approaches.22 It would be a
of supply chain security must also be developed. In
series of supply chain supplier and customer conditions and
many cases, there is a lack of technical underpinnings
risk assessments that allow for a structured assessment of
that support the communication of supply chain integrity
processes and measurement standards. Performance would
information between partners within the supply chain.
be measured and corrective actions taken where necessary.
This approach provides the additional benefit of increased 3.2.1 The Information Technology
efficiency because the time and resources necessary to Supply Chain
inspect a trusted supplier’s products would be minimized,
Threats to information systems security that originate
while focus on products from uncertified suppliers would
from the Internet have consumed public attention. Yet it
be maintained. The result would be reducing the cost and
is safe to say that nothing in today’s supply chain moves
schedule of supply chain shipments where appropriate,
without electrons. Therefore, the security of supply chain
while helping to ensure security of the right product, to the
technology is paramount.
right place, at the right time.
The integrity of the supply chains that produce the
As the U.S. becomes better at resisting the threat to
converged computer and communications systems that
cyberspace, the attackers will be forced into the supply
support all other supply chains is absolutely essential
21 DOTMLPF refers to the standard set of factors to be considered to the integrity of products within each supply chain. If
by the military when establishing a new national security capability. information technology supply chains are insecure, then
22 See the glossary for more information.

UNCLASSIFIED
all other supply chains are insecure by inheritance. It is

the link upon which all others depend.
However, when considering the threat to society, it is

critical to focus on the threats to information systems
and the components of information systems throughout
their development lifecycle.
From the time raw materials are obtained to build

hardware components, or when designs are drawn up for Computer and communications supply chains are the “supply chain of supply
chains.” If information technology supply chains are compromised, all other
software, to the time the cyber systems are disposed of, supply chains are potentially compromised. Graphic courtesy of CACI.
they are under constant threat of manipulation or attack.
Current cybersecurity efforts are focused primarily on Historically, however, supply chains that produce general
governance and compliance efforts that seek to provide information technology components have not incorporated
a base level of security for systems once implemented. controls to ensure the integrity of the information systems
The defect of this approach is that it does not account developed, even though they are the weapons of today’s
for the integrity of system components as they travel and tomorrow’s cyber battlefield.
through the supply chain prior to procurement. Because
the supply chain is now a complex, interlocked process, This simple reality is recognized by the Comprehensive
threats can originate from anywhere worldwide. National Cybersecurity Initiative (CNCI), which de-
votes an entire initiative to security of the information
Some supply chains related to specific systems and com- technology supply chain. In fact, CNCI-11 includes the
ponents have been secured. They include those involved requirement that the federal government lead the efforts
with development of weapons systems or that handle in developing processes and capabilities that support the
controlled or hazardous materials, such as nuclear and integrity of information technology systems.
chemical materials. Unfortunately, there have been no-
table exceptions, including one of the Pentagon’s most In the meantime, there are various technology solutions
expensive weapons programs.23 than can help counter cyber threats to information technol-
ogy supply chains. Examples of these solutions include:
• Use of PKI and other strong authentication

technologies to enable supply chain providers to be
sure that they are doing business with the partners
they trust, and that information passed between
partners is authentic and has not been manipulated.
• Use of detection, prevention, and remediation

controls such as a host-based security system
(HBSS) to ensure that the systems supporting the
supply chain perform as intended and that any
attempt to subvert the supply chain through the
supporting technology is detected and reported.
Multiple solution sets must be in place to counter a myriad of cyber threats.
Graphic courtesy of CACI.
• Use of hardware facilities to ensure that the integrity
of a system cannot be compromised at the software
23 Although many details about the attack were not released, level, and that advanced capabilities are provided
attackers were able to download a significant amount of information
to automatically notify security and operations
related to the F-35 jet fighter. Siobhan Gorman, August Cole, and
Yochi Dreazen, “Computer Spies Breach Fighter-Jet Project,” The personnel of potential anomalies that may indicate a
Wall Street Journal, April 21, 2009. security breach.

UNCLASSIFIED
• Assurance that systems behave in the manner which can be used to compromise those systems in
intended, and that controls are in place to ensure, combat.25
on a continuous basis from the outset, that new
commands or corrupted protocol messages are • Misdirecting, holding, or delaying shipments.26
prevented from reaching the application. • Substituting counterfeit parts or equipment.27
In sum, the U.S. needs to find a mix of defense in depth • Ordering duplicate parts/equipment.
and defense in breadth, the correct balance of technology
and protective measures that permit affordable and These and other interferences will require resources
functional systems that meet reasonable, yet practical, to track the missteps, and may require reshipment. All
capacity and speed requirements. cause delay and disruption, inefficiency, and mistrust
in the supply system. Deployments may be missed and
missions put on hold. Substitution of counterfeit parts
3.3 Operational Perspectives on can produce a wide range of adverse results, ranging
Securing the National Security/ from short-term mission failure to strategic failures
caused by a compromise of command and control assets.
Defense Supply Chain
DoD efforts in defense of supply chains must be as
The Achilles’ heel of any supply chain is that it is a highly seamless as its adversaries’ means of penetration. To its
fragmented process. For DoD, as for most federal agencies credit, the Department recognizes this as the nation’s
and commercial enterprises, it is difficult to ensure that op- greatest supply chain challenge.
erators, companies, and organizations look beyond their im-
mediate supplier or the next customer in the supply chain.
Do the system integrators research where the individual

chips or circuit cards come from? Or do they assume
that if these electronic components pass receipt
inspection, they are ready for production? When they
ship the “black box,” do they send it off and track it
to the warfighter, or just make sure it gets to the next
processor in the supply chain?
Cyber warriors know no borders. While our supply

chain business processes are highly fragmented,
access to national security supply chains is highly
integrated through the convergence of computers and
communications. Through the Internet alone, adversaries
can find the weakness in fragmented business processes
and exploit them. Adversaries can take actions such as:
• Exfiltrating technical data for prime weapons

Complex new automated maintenance systems employed by the U.S. Air Force
systems like the F-35, which may be used to are increasing the reliability and endurance of aircraft but can also be targets of
compromise mission capability in future conflicts.24 cyber attacks that may have crippling effects on military readiness.
Photo courtesy of U.S. Air Force.
• Placing “backdoors” into weapons platforms,
25 Wallace, op. cit.
sensor systems like air-defense radars, and other 26 Hon. Gordon England, CACI-USNI symposium comments.
mission-critical systems, including the electric grid, 27 Gilmore, op. cit., citing a 2008 FBI report that found 3,600
counterfeit Cisco chips inside the networks of the Defense
24 Hon. Loretta Sanchez, CACI-USNI symposium comments. Department and power systems of the U.S.

UNCLASSIFIED
There are several aspects that might be included. First

is early warning.30 Early warning requires constant
monitoring of the environment, the supply chain, the
mission status, and the warfighting readiness of the
force. Converged, frequent, integrated communication
from the private sector all the way to the tactical
edge, from the source of supply to the consumer, is
vital. Also important is awareness of global events:
weather, political, physical conditions, and operational
intelligence.31 Global awareness provides the ability to
be predictive and proactive, and to rapidly recover when
breaches occur.
The U.S. Transportation Command is focused on expanding supply chain No matter how well organizations attempt to prevent
visibility to better protect goods and services delivered to the warfighter. security breaches, no systems are ever totally free from
Seal courtesy of U.S. Transportation Command.
vulnerability, and every system can be compromised in
With the designation of the U.S. Transportation some way. This fundamental realization is essential to
Command (TRANSCOM) as the distribution process developing and sustaining the resilient systems essential
owner for DoD, delivery processes are on the road to mission success.
to improvement. TRANSCOM, having already
experienced no less than 150 cyber attacks, is working When breaches occur, what matters is the ability to
to expand supply chain visibility to a true sense-and- continue to conduct the mission, or to quickly get
respond logistics that reaches back to the suppliers and back online to provide supplies to the warfighter. Or-
forward to the warfighter.28 ganizations must know when supply chains have been
breached, and to what extent. Risk recovery plans must
However, beyond the distribution process for be in place, up-to-date, and well rehearsed. Sufficient
DoD, U.S. and foreign industrial members of the alternate inventories, at alternate locations, must exist
supply chain remain insulated from each other.29 and be accessible in a timely manner. These will be the
Every place there is a seam, there is a vulnerability measure of logistical success, and probably the combat
open to exploitation. The continuing inability to success of the warfighter.
completely integrate the supply chain remains a
significant problem. This issue applies not only to The paradigm shift to a global marketplace has had
new components, equipment, and systems but also to staggering implications for securing DoD supply
items being returned for repair, whether to a depot or chains.32 The U.S. no longer builds all, or even most, of
the original equipment manufacturer. Moreover, it is the information and communications technology that
a concern for every industrial base and supply chain runs its networks.
partner, both public and private. Ten years ago, American industry couldn’t sell a
How might these risks be mitigated? Significant computer chip to friendly nations without violating
aspects of a mitigation plan are possible through the export controls. Now U.S.-branded products made in
application of converged information technology and China and other foreign locations are bought and sold
communications technologies, but employing these routinely. Some sources estimate that as much as 90
technologies must make the situation better; status quo percent of the integrated circuits produced in the world
is not an option. What would these technology-based are made in China. This means that when a Chinese or
risk-mitigation strategies look like? other foreign vendor supplies integrated circuits to DoD,
30 Ibid.
28 Wallace, op. cit. 31 Ibid.
29 Christianson, op. cit. 32 Wallace, op. cit.

UNCLASSIFIED
4 The Way Forward:

they can implant faults or corrupt algorithms in almost
any DoD environment, even classified ones. Further,
many of our computer manufacturing and Internet A View From the Hill
companies, Google for example, are a significant part
of the Chinese economy. This creates not only an and Beyond
opportunity for corruption but also the potential for
divided loyalties. Also factor in that every day, thousands
The gravity of the growing threat posed by cyber attacks
of attacks on U.S. networks emanate from China.
– especially when measured against the particular
Under these circumstances, DoD, like most enterprises, vulnerabilities of vital global supply chains – challenges
may be unable to control the products or workforce. the foundations of our national security and demands
The Department is just one of many consumers. It must a concerted response by the executive and legislative
therefore develop a new cadre of experts. branches. The pervasive and rapidly evolving cyber threats
must be countered with forward-thinking, adaptable
These must be professionals who can purchase legislative initiatives implemented with flexible rulemaking.
components and products, test them to a satisfactory
level, and break away from the mindset that assumes Although such a concerted response from the legislative
the vast majority of products and services are designed, and executive branches cannot be expected to anticipate
developed, manufactured, and supported by traditional and address every aspect of the cyber threat, it is
U.S. manufacturers. In particular, DoD supply chain certainly possible to enhance the efficiency of national
managers have to be specifically (re-)trained to manage efforts. It requires an approach designed to strengthen
in this globalized environment where the U.S. no longer specific cyber-related legal authorities, clarify the roles
controls the labor for, or the sources of supply of, and responsibilities of affected executive agencies, and
hardware and software. change public perceptions.
CNCI-11 addresses many of these issues from a

converged computers and communications technology 4.1 Legislative Branch Initiatives
supply chain perspective.
Recent years have witnessed a wave of legislative
Tasked under the National Security Presidential initiatives intended to improve cybersecurity. However,
Directive 54 and Homeland Security Presidential attempts to comprehensively address cyber threats have
Directive 23, the initiative recognizes that significant been complicated by a number of factors, including
gaps exist in the U.S. government policy regarding the “uncertainty of the geographic location of the
supply chain risk management. In particular, there is perpetrators of cyber attacks [and] the introduction of
no mandate to address risk management in acquisition new vulnerabilities to the nation’s infrastructure from
programs, there are limited risk management tools, increasingly sophisticated threats.”34 Notwithstanding
and there is a lack of guidance on the use of vendor these formidable obstacles, it is essential to enact
threat information. legislation that is carefully crafted to advance a
comprehensive national strategy capable of adapting to
Going forward, the U.S. must determine how to do as evolving cyber threats.35
good a job of controlling supply chain security as it does
controlling the seas with the U.S. Navy and the air and Strategically, remedial cybersecurity-enhancing
space domains with the U.S. Air Force.33 legislation should be developed in concert with affected
executive agencies, as well as their congressional
34 Catherine A. Theohary and John Rollins, “Cybersecurity: Current

Legislation, Executive Branch Initiatives, and Options for Congress,”
Congressional Research Service, September 30, 2009.
33 Robert Carey, CACI-USNI symposium comments. 35 England, op. cit.

UNCLASSIFIED
adjunct would be to create a cybersecurity “reserve

force” composed of individuals who could leave
their private sector jobs to serve temporarily, without
jeopardy to their private employment. Along the same
lines, the U.S. will benefit from a federal cybersecurity
organization with a well-defined charter and attendant
authorities analogous – and complementary – to other
federal organizations with oversight, direction, and
control over a particular area of responsibility, such as
the Office of the Director of National Intelligence and
the Departments of Defense and Homeland Security.38
Such initiatives will require the authorization and

appropriation of dedicated funding to accommodate
the new organization’s start-up and recurring operating
The legislative and executive branches of U.S. government must work costs. Competing budget requirements from other
together to craft initiatives and implement actions that will be decisive in concerned federal agencies, and pressure from state and
countering cyber threats. Graphic courtesy of CACI. local authorities for federal assistance, must be balanced
oversight committees. The resulting legislation to yield resources that are commensurate with the roles
must be sufficiently general to account for emerging and missions of the organization, and the political
technology, while tailored to exploit the particular priority placed on performing them.39
strengths of the executive agencies that will be charged
Many commentators have noted that the Federal
with its implementation and enforcement. It must also
Information Security Management Act (FISMA) is
be respectful of the sovereignties of local and state
outdated because it has not kept up with the rapid
governments, and realistically grounded in the budgetary
evolution of the Internet and interweaving of converged
considerations that will continue to constrain all
computer and communications technologies.40 FISMA
lawmaking for the foreseeable future.
has earned a reputation for mandating laborious
Additional legislation will be required to create new, key reporting exercises that do not provide a meaningful
cyber-related positions within the executive branch, and picture of an agency’s security posture. An agency can
to vest certain existing positions with greater authorities get a good FISMA score and still be highly vulnerable.
in this area. Although such legislation has been proposed From a governance perspective, when FISMA was
in recent years, no significant initiatives have been passed enacted it amended the Government Information
by both houses. Thus, although legislation that would Security Reform Act, leaving intact the traditional
establish an “office of the National Cybersecurity Advisor” roles of the Department of Commerce’s NIST and the
under the cognizance of the President has been introduced, National Security Agency, which are not necessarily
it has not been signed into law. Such an addition to the complementary. In particular, it did not correct the
executive branch, if given sufficient policy-making “dichotomy that exists in the treatment of civilian and
and budgetary authority, could successfully spearhead national security systems.”41
meaningful change in the cybersecurity area.36, 37
38 England, op. cit.
Concomitant with the authority to create such new 39 England and Sanchez, op. cit.
40 Title III, E-Government Act of 2002, Pub. L. 107-347 (Dec. 17,
positions or expand the responsibilities of existing 2002); Langevin, op. cit.; and Langevin, et al., Securing Cyberspace
positions should be the ability to offer enhanced for the 44th Presidency, A Report of the CSIS Commission on
compensation to incumbents. A potentially valuable Cybersecurity for the 44th Presidency, Center for Strategic and
International Studies, Washington, DC, December 2008.
36 Hon. Jim Langevin, CACI-USNI symposium comments. 41 Cyberspace Policy Review, published by the White House,
37 Theohary and Rollins, op. cit. May 8, 2009.

UNCLASSIFIED
Further, federal law must be revised to properly 4.2.1 Aligning Agency Roles
incorporate the private sector and foreign allies. and Responsibilities
Without legislation that supports greater information
sharing, as well as military, intelligence, and logistical Executive branch policy must better clarify and define
support to private sector counterparts and allies, U.S. agency roles and responsibilities. A particular challenge in
cybersecurity efforts will continue to be challenged.42 chartering any central cybersecurity organization concerns
the essential role of converged computer and communica-
tions technologies in every domain of endeavor and every
4.2 Executive Branch Action: federal organization. There will be a corresponding inter-
Developing and Defining Policy weaving of charter responsibilities between the cybersecu-
rity agency and every concerned federal agency.
However carefully crafted, cybersecurity legislation
will not be fully effective without concerted, Currently, “agencies have overlapping and
innovative implementation by the executive branch. uncoordinated responsibilities for cybersecurity
In this regard, President Obama and his recent activities”45 under existing executive branch guidance.
predecessors have promulgated executive agency The CNCI itself faces substantial challenges that cannot
policy initiatives designed to safeguard U.S. national be overcome unless roles and responsibilities of “all
security – including America’s supply chains – key CNCI participants … are fully coordinated.”46
from cyber threats, including previously mentioned Furthermore, greater consideration should be given to
directives like National Security Presidential Directive performance measures within the CNCI. It is critical to
54 (NSPD 54) and Homeland Security Presidential evaluate how well the various government actors are
Directive 23 (HSPD 23). executing on this initiative.47
Among other things, NSPD 54 and HSPD 23 reportedly The Departments of Commerce, Defense, and Homeland
authorized efforts that included “safeguarding Security; the Intelligence Community; and other
executive branch information systems by reducing executive branch entities also have various overlapping
potential vulnerabilities … and anticipating future and potentially competing responsibilities. Presidential
threats.”43 On May 29, 2009, a little over a year policy guidance is required to ensure consistent and
after NSPD 54 and HSPD 23 were formulated, complementary implementation of cyber-related authorities
President Obama directed a 60-day policy review of that have been prescribed to various federal entities.48
“cybersecurity-related plans, programs and activities.”
In addition, DoD, the Office of the Director of National 4.2.2 Defining Terms
Intelligence, and other executive agencies provided
The executive branch must provide policy that precisely
policy guidance for their respective organizations.
and uniformly defines government-wide cybersecurity ter-
Notwithstanding these efforts, cybersecurity must minology. Without a common, clearly understood lexicon
continue to rank among the President’s highest defining key terms and their connotations, federal agencies
priorities.44 This is key to remedying the deficiencies will continue to be hampered in forming and carrying out
that remain, both in developing an overarching the collaborations necessary to address cyber threats.
strategic approach to cyber threats, and in prescribing
rules to interpret and implement aspects of specific 45 Ibid.
cybersecurity initiatives. 46 Ibid.
47 Azmi, private communication.
48 The Department of Commerce’s NIST, for example, was directed
42 Langevin, op. cit. under the Independence and Security Act of 2007 to oversee various
43 Gregory C. Wilhusen and Davi M. D’Agostino, Cover letter to initiatives related to reducing various cyber threats and facilitating
Government Accountability Office (GAO) Report on Cybersecurity, an interoperable infrastructure for many agencies. Meanwhile, other
GAO-11-338, March 5, 2010. departments have similar and seemingly overlapping and/or possibly
44 Hon. C.A. Ruppersberger, CACI-USNI symposium comments. conflicting mandates.

UNCLASSIFIED
establishing the range of potential responses. Although it

may be convenient to place cyberspace, like outer space,
within the ambit of international law, it is not entirely clear
that all cyber attacks necessarily constitute acts of war.52
The rules of engagement, including the parameters of a

proportionate response and whether there is any such notion
as a “just information war” must be addressed.53, 54 Further-
more, the necessary task of defining boundaries between
sovereign territory and international “space” in the cyber
domain has proven to be enormously complex. While some
have attempted to draw parallels to outer space law and
have turned to the United Nations Charter and related trea-
When is a cyber attack an act of warfare? An ongoing challenge facing govern- ties and policies for guidance, additional international legal
ments and lawmakers worldwide is identifying the boundaries between sovereign agreements and arrangements will likely need to be
territory and international “space” in the cyber domain. Graphic courtesy of CACI.
promulgated with international partners to ensure a com-
Even the term “cybersecurity” itself has varying mon understanding, implementation, and enforcement.55
connotations and conflicting meanings to different U.S.
government departments, including those agencies vested Greater clarification is also required in existing policy
with primary responsibility for U.S. cybersecurity.49 For and related legal analysis concerning the definitions of
example, in DoD, cybersecurity has defensive or offensive such terms as “cyber criminals” and “cyber terrorists.”
military connotations, whereas at other agencies the term Without clear definitions, the U.S. will continue to be
refers only to information security.50 constrained in acting effectively since the legal rules that
apply to each group differ significantly.
In order for the executive branch to provide policy
direction that binds all government agencies, it must be 4.2.3 The Role of Diplomacy
issued at the Presidential level. Despite recent Presidential
attempts to provide additional policy guidance in the Diplomatic initiatives, which are the responsibility of
cybersecurity area, there is no indication that any the executive branch, will need to complement domestic
of these directives provide the degree of clarity that actions. They should be directed toward addressing the
executive branch entities will require to mount the closely special challenges, threats, and opportunities arising
collaborative responses necessary to counter cyber risks. from the cyber domain, which exists beyond physical
space and knows no borders.
In addition, a more fully developed legal framework
should be adopted for analyzing executive branch cyber- Initiatives at the international level, such as forming a
related policies and rulemaking. For example, it is not joint working group with the European Union on common
necessarily clear how the U.S. would legally treat cyber policy supporting cyber protection, intellectual property,
attacks from another nation state under existing policies. and intergovernmental information sharing with regard to
If, for example, cyber attacks are, as some predict, the cyber threats, are called for. Such an action would create
first phase of any attack mounted by U.S. adversaries, opportunities to advance a smart power perspective.
what legal recourses would be available to the U.S.?51
While there have been initiatives to coordinate interna-
While attempting to account for the difficulty in attributing tional efforts that combat cyber crime and terrorism, such
responsibility for cyber attacks, executive branch policies 52 England, op. cit.
also must incorporate more sophisticated legal paradigms 53 Langevin, op. cit.
54 Scott Shackleford, “From Nuclear to Net War: Analogizing
49 Theohary and Rollins, op. cit. Cyber Attacks in International Law,” Berkeley Journal of
50 Ibid. International Law, February 20, 2009.
51 Ruppersberger, op. cit. 55 Ibid.

UNCLASSIFIED
4.3 A Private-Public Partnership

One of the key aspects of successfully implementing
any public policy and a complementary private sector
strategy is to ensure proper incentives and disincentives
are in place to align private action with societal goals
and objectives.
To date, market forces have not favored products with

cybersecurity capabilities that make systems secure at
the level required for national or economic security.57
Companies, and by extension broader society, still
view cybersecurity as a revenue drain or an add-on, not
as an imperative.58 Consequently, adequately robust
cybersecurity products have not benefited from the
economies of scale of the global mass market.
The result has been a “market failure” to the extent that

the U.S. can’t afford the security necessary to survive
in a system it created.59 “We know there are things that
The cyber domain crosses all space and borders. International cooperation, we can do that would put these supply chains in better
achieved through diplomatic initiatives, is necessary for global cybersecurity. stead in the cyber warfare scenarios,” says an officer of
Image in public domain.
the Defense Logistics Agency, which provides supplies
as the Council of Europe’s Convention on Cybercrime, and services to America’s military forces, “but our
ratified in 2001, significant work remains.56 Constructs customers want us to be cheaper.” 60
that manage cybersecurity risks must be in place and
broadly subscribed to by the international community. To Since competition for information technology systems
date, there have been no formal international agreements is furious and capability is often considered over se-
related to the cybersecurity of supply chains. curity, industry continues to develop insecure systems.
Purchasers continue to select “competitively priced”
Implementing agreements between members of the in- products with insecurity engineered in even while the
ternational community is a challenging issue beyond the U.S. becomes increasingly less able to afford them from
well-known challenges of diplomacy. The novelty, recent a security standpoint.61
emergence, and lack of agreed-upon cyber terminology add
new levels of complexity. The cyber attacks against Estonia In an environment that demands the enhancement of
in the spring of 2007 illustrate the limits of international security in systems and supply chains, it is critical that
understanding of the impact of cybersecurity issues. During the U.S. government work with a diversity of market
the attack, there was difficulty achieving agreement as institutions to increasingly make secure products
to whether Article 5 of the North Atlantic Treaty, which economically desirable. This is essential in stimulating
requires members of the alliance to render assistance to demand for security within the marketplace not only in
North Atlantic Treaty Organization (NATO) members the U.S. but globally. Coordinated diplomatic activity
that fall under attack, was applicable in the case of the will also be needed to ensure that more secure products
cyber attack against Estonia, a NATO member. Within are accepted within the global marketplace.
the cyber domain, there was and is no agreed-upon defi- 57 Chabinsky, op. cit.
nition of a hostile act or act of war. 58 Ridge, op. cit.
59 Chabinsky, op. cit.
56 Accessed at http://conventions.coe.int/Treaty/EN/Treaties/ 60 Edward Case, CACI-USNI symposium comments.
html/185.htm on April 14, 2010. 61 Chabinsky, op. cit.

UNCLASSIFIED
information. Efforts like these should be encouraged

and built upon, with a clear expectation that it is the
responsibility of every organization, public or private, to
detect and address lapses or threats to security.62
In sum, a judicious balance of actions and incentives will
increase market demand for secure, resilient systems in
a way that clearly defines and communicates return on
investment and supports reasonable costs.
4.4 The Critical Role of Education

and Individuals
Strategic communications must ensure that every American understands that
cyber attacks pose a threat to everything from a single individual to the govern- In the absence of a broadly scaled public education
ment at large, to the entire power grid of the nation. Graphic courtesy of CACI.
campaign aimed at private citizens, no legislative
It is critical to foster innovation and support a global mar- or executive branch modification of the national
ket in secure information technology that will ultimately cybersecurity apparatus will have its intended effect.
drive out insecure products. This requires the continued
evolutionary development of the private-public partnership Public officials and private sector leaders must understand
that led to those insecure products. Effective communication and appreciate their roles and responsibilities in preserv-
between the public and private sectors of expectations, goals, ing cybersecurity and safeguarding the U.S. supply chain.
objectives, and progress in cybersecurity efforts is needed to Individual users of government and private information
ensure that the market is attuned to society’s security goals. technology systems must be educated regularly on the
importance of complying with applicable cybersecurity
The failure of past efforts can be tied to a lack of clear com- safeguards. Rank-and-file workers in industries key to
munication of the underlying intent of legislation. For ex- converged computer and communications technology, and
ample, the Sarbanes-Oxley Act required corporate top man- other U.S. supply chains, must be trained to prevent and
agement to certify proper control over financial reporting but deter cyber threats. And every American must perceive the
did not significantly boost the security of systems, though cyber threat in tangible, real terms.
it could have led to this outcome. Instead, another solution
path resulted, one which increased the cost of implementing The education of individuals is critical in other ways. Ef-
controls without broadly improving cybersecurity. forts related to establishing enhanced security must recog-
nize and protect the Constitutional right to privacy. Securi-
Additional policy measures must be adopted to increase ty methods that reduce the level of privacy, or are believed
joint efforts between the U.S. government and industry to do so, or impose restrictions that inhibit innovation, or
partners. Although DoD and other agencies have pro- are believed to do so, may not be accepted. Citizens in the
moted the sharing of cyber threat information among ex- U.S. are generally reluctant to support security measures
ecutive agencies and private sector partners, these initia- that are perceived as trampling on fundamental freedoms.
tives should be broadened to include more private sector There seems to be a greater fear and certainty of that than
participants and greater information sharing. the as-yet unappreciated consequences of a cyber attack
that takes down the power grid.
Government policy should also incorporate measures
to ensure that key contractors properly safeguard their In an open society the right to privacy should be widely
systems. DoD has made progress in this area, both by recognized, but there is also a recognized need for the as-
sharing information on threats, vulnerabilities, and best signment and acceptance of responsibility. Unfortunately,
practices with defense industrial base partners, as well the current design and implementation of the Internet and
as by proposing rules that will raise the standards for
information security at companies that store and use DoD 62 David Wennergren, CACI-USNI symposium comments.

UNCLASSIFIED
“Cybersecurity is generally thought about in terms of

technical challenges. I believe, frankly, the technical side
of this is the least challenging. This is an extraordinarily
5 Findings and
Recommendations
broad, difficult topic that is also a challenge socially,
politically, legally, economically, and educationally.” The cyber threat is unlike any other threat the U.S. has
ever faced.
– Former Secretary of the Navy Gordon R. England
Other threats, whether symmetric or asymmetric, have
employed technologies that directly extend and amplify
cybersecurity systems do not promote this accountability. human physical capabilities. From the spear to the
The Internet provides significant anonymity. Therefore, a ballistic missile, the tools of war extend the power of the
critical element in a successful cybersecurity initiative will human arm.
be a strategic communications initiative that emphasizes
that anonymity, which is not the same as privacy, is not a Like the human arm, the tools of hard power operate in
guarantee in the cyber commons. the familiar domains of land, sea, air, and most recently,
space. Never have there been threats of conflicts that
The cyber threat contends for the public’s attention take place in a domain that at once instantly connects
with numerous other issues. There is ample evidence everyone everywhere and pervades all private and
suggesting that the public’s perception of the magnitude public activities. Never have the technologies that
of the cyber threat does not match the seriousness of threaten the world directly extended or amplified human
the threat. In complementary fashion, the public lacks cognitive capabilities.
practical knowledge of cybersecurity best practices or
the need for applying them in everyday life.63 The cyber age has changed everything. Now a computer
produced by a compromised supply chain can be just as or
There is no doubt that the public is challenged not only by more dangerous than a physical weapon. Since the entire
the unique nature of the cyber threat but by its ubiquity, its supply chain for converged computer and communications
subtlety, and its failure to resemble threats of the past. Key technologies can be compromised, our entire information
thought leaders have also delivered inconsistent messages.
In a recent report, newly appointed White House cyber czar
Howard Schmidt was quoted as saying, “There is no cyber
war.”64 A week previously, Mike McConnell, former Direc-
tor of National Intelligence, wrote, “The United States is
fighting a cyber war today, and we’re losing. As the most
wired nation on Earth, we offer the most targets of signifi-
cance, yet our cyber-defenses are woefully lacking.”65 In
contrast and at about the same time, NATO Director for
Policy and Planning Jamie Shea was quoted as having ar-
gued that the threat should not be overhyped, insisting that
the threat from weapons of mass destruction remains much
greater than the dangers of weapons of mass disruption.66
63 Langevin, op. cit.
64 Ryan Singel, “White House Cyber Czar: ‘There Is No Cyberwar,’ ”
Wired.com Threat Level. March 4, 2010. Accessed at http://www.wired.
com/threatlevel/2010/03/schmidt-cyberwar/ on March 9, 2010.
65 Mike McConnell, “Mike McConnell on how to win the cyber-
war we’re losing,” The Washington Post, February 28, 2010. A critical element in a successful cybersecurity initiative will be communica-
66 Julian Hale, “NATO Official: Cyber Attack Systems tions that emphasize that anonymity is not the same as privacy, and is not a
Proliferating,” Defense News, March 23, 2010. guarantee in the cyber commons. Graphic courtesy of CACI.

UNCLASSIFIED
technology infrastructure can be thought of as a potential In general, Internet capabilities must be developed to
threat, ready without warning to disclose secrets, promote enhance the ability to attribute responsibility for cyber
falsehoods, or damage critical property. acts to individual networks, computers on the network,
and ultimately to a unique human identity. Similarly,
Applied to the cyber domain, deterrence tailored additional capabilities must be developed that allow for
to the attribution of cyber attack or manipulation is better control of identified risks and those that have yet to
remarkably hard, owing to the pervasive anonymity be discovered.
of the cyber domain.67 Creating systems that would
offer better attribution is part of the solution, because The U.S. must couple defense and prevention with a will-
at present perpetrators in the cyber domain have little ingness to actively respond to threats to the cyber supply
risk of being identified and punished for their actions. chain. The government must pursue the development of
However, with current technology, it is not easy to necessary diplomatic, policy, and legal tools to protect na-
associate the cyber attack or manipulation with a tional security and economic interests in a world that the
source computer. Even if new technologies could better U.S. has been instrumental in shaping. Like the Cold War,
identify a source computer, because of botnets and where at the outset the U.S. struggled to maintain parity, it
other forms of cyber manipulation, it is not a given that needs to invoke and focus the national will and devote the
the owner(s) of the computer took part in the attack. necessary resources to ensuring it achieves and sustains
Attribution is far from simple, and unlike nuclear cyber superiority.
weapons, cyber weapons are ubiquitous.
To properly support our ability to deter attacks against
Traditionally, cybersecurity has focused on purely our cyber and supply chain processes, the U.S. must
defensive strategies. Recognizing that the current also devote resources to developing capabilities that will
threat environment consists of constant attack, and ensure the country has the proper cyber technologies
that advanced persistent threats from determined and trained personnel to take their place among the
adversaries are continuously in play, dictates that other other instruments of national power. In particular, the
strategies be deployed. nation must build the capability to collect and analyze
The U.S. government has employed tried and true information related to the cyber capabilities of our
organizational methods through initiatives like creating adversaries, whether criminals, terrorists, or nation states.
the U.S. Cyber Command and recommissioning the 10th This is essential to ensuring early warning of impending
Fleet.68 At the same time it has recognized, in standing attacks, notification of attacks in progress, and forensics
up the command, that the sheer interconnectedness of following an attack.
the cyber domain makes it something altogether different
In addition, as majority owners of the U.S. critical
from familiar arenas. Since “comprehensive terminology
infrastructure, the private sector must be included in
and rules for cyberspace have yet to be developed, even
the deterrence and defense plans. To support its role,
articulating cyberspace threats and identifying options
for countering them is extremely difficult.”69
“Cyber threats can originate from anywhere, at any
67 Chabinsky, op. cit. time, and their credibility is difficult to determine.
68 The chief of naval operations (CNO) officially established the Unlike traditional warfare, the size of an arsenal is not
U.S. Fleet Cyber Command and recommissioned the U.S. 10th Fleet
necessarily a deterrent. The United States is considered
on Jan. 29, 2010. This was part of the CNO’s vision to achieve the
integration and innovation necessary for warfighting superiority to have the most powerful cyber capabilities, but it’s still
across the maritime, cyberspace, and information domains. The 10th a primary target. Anyone with a network connection is
Fleet was first established in 1941 as the lead for anti-submarine
warfare. The global responsibility of today’s 10th Fleet is comparable a potential target, making the damage easier to inflict
to that of its predecessor, which protected American forces through and with greater potential consequences.”
the use of intelligence and information.
69 Hon. Michael Chertoff, comments from CACI-USNI – Dr. J.P. (Jack) London
Asymmetric Threats Symposium Three.

UNCLASSIFIED
mission would be, at best, severely compromised. This

situation applies across modern society as a whole.70
The cyber domain cannot be comprehensively secured.

The underlying technologies were conceived of for very
different circumstances. There were few computers,
computers and general communications had not
converged, and physical security for systems was the
ultimate and entirely practical guarantee of system
security. Nevertheless, the U.S. and nations around the
word continue to rely on architectures and systems that
are neither secure nor resilient, and are trying to retrofit
security on to those systems and architectures.
What can be done will be expensive and time

Recognizing that the current threat environment consists of constant attack, consuming, and will be effective only to an uncertain
the U.S. must devote significant resources to developing cyber technologies extent. The economics of cybersecurity inside
and expertise that take their place among all instruments of national power.
Photo courtesy of Department of Defense. government, and beyond, are not favorable. The costs
of inaction in implementing cyber methods that would
the government must develop incentives for assistance protect networks and systems are low, while the costs of
as well as mechanisms to protect corporate entities implementing effective security measures are high, and
assisting in the national defense. In this connection, it is must for now compete with other budget priorities.
interesting to note that the notion of the privateer, derived
from traditional maritime law, has renewed relevance in Cybersecurity and supply chain security are broadly
cyberspace. The U.S. must also work to minimize the societal problems, not purely governmental problems.
likelihood of unintended consequences. There is a diversity of cyber actors, from individuals with
criminal intent to nation states, terrorists, and industrial
spies. They work singly or in ever-shifting coalitions –
5.1 Findings and every element of society is a potential target.
While lacking an established terminology and The inextricable interconnection of Internet-capable
approach to immediately make sense of the cyber systems brings individuals into close logical proximity to
domain and the cyber threat, there are a number of institutional systems, whether corporate, governmental,
conclusions that can advance national understanding. or non-governmental. Under such circumstances, each
Nearly every nation is dependent on the converged individual can be the unwitting dupe of hostile cyber actors.
computer and communications technologies on which Furthermore, the revolution in computer and
the cyber domain is built, some for virtually every aspect communications technologies has had a leveling effect on
of day-to-day life. At the same time, the wired world society. While symposium participants discussed the need
has in many, and perhaps most cases, lost the ability to for cybersecurity training of military personnel, the simple
operate in simpler but more secure ways. truth is that all of us are potential cyber warriors. We each
For example, traditional seamanship skills such as use need to be able to rely on all other users to protect the
of signal flags or lamps to communicate have been system on which, for good or ill, we all depend.
abandoned by the fleet, as have navigational skills like Policy does not adequately address the cyber threat and
dead reckoning based on astronomical observations. If the has not yet put the U.S. on a path that ensures success.
modern communications and navigation technologies that While many elements of this policy are in development,
have replaced the traditional methods were compromised,
or rendered ineffective, the fleet’s ability to carry out its 70 England, op. cit.

UNCLASSIFIED
the unprecedented scope of the challenge demands an The campaign must forthrightly and directly address a
equally unprecedented effort. Tried and true approaches series of highly sensitive issues, including open society
may offer something of value to the U.S. response, but vs. open cyberspace; anonymity vs. privacy and the
they will be inadequate if they are not reinforced with Constitutional right to privacy; and assignment and
genuinely innovative approaches to policy. In particular, acceptance of responsibility.
alliances that emphasize flexibility and agility must be
formed among all segments of society, its institutions,
and individual members.
5.3 Defining Cybersecurity
Success
5.2 Recommendations Without a refined evaluation protocol, gauging the
nation’s success in countering cyber threats will prove
There are a number of specific recommendations at least as elusive as assessing the efficacy of America’s
that follow from the conclusions that arose from the response to the more conventional – yet asymmetric –
symposium. These appear below. terrorist attack of September 11, 2001.
A highly reputable public and private consortium should The absence of a successful large-scale cyber assault
be formed to implement these recommendations. The against the U.S. only provides a false sense of security.
consortium’s goal will be to give the public practical,
actionable information that will empower individuals Similarly, for industry the imperatives must be shared
and organizations to understand the significance of the between corporations, government, customers, and
safe use of all Internet-connected devices, as well as each the investment community. The role of the investment
individual’s responsibility in protecting all other users. community is of particular importance because of the
Recommendations
Recommendation 1 – The U.S. needs to aggressively pursue a comprehensive national security policy that
ensures the nation is prepared to react to and preempt cyber attacks on systems and critical infrastructure on
which American society depends.
Recommendation 2 – Supply chain security must be part of the establishment of an overall cyber
intelligence capability that ensures situational awareness and the continuous monitoring of cyber threats.
This capability would include collecting, analyzing, evaluating, and disseminating critical cyber intelligence
with both national and international partners, as well as developing and implementing appropriate response
mechanisms.
Recommendation 3 – The U.S. must develop the ability to build a small number of computer and
communication systems that are absolutely certain to be secure. These would be systems built outside of the
normal supply chain, from critically secured components sourced only from the U.S. and trusted allies. The
cost would be significant, but the effort would ensure the availability of at least a limited number of assured
systems architected from hardware and software components that have not been compromised and which can
operate with confidence in support of critical activities for key government functions.
Recommendation 4 – The U.S. needs to develop and sustain a strategic communications campaign to provide
the public with a realistic appreciation of the cyber threat.

UNCLASSIFIED
critical role this community plays in assessing how 5.4 Conclusion

businesses use their capital and operating budgets. If a
business’s expenditures for all aspects of cybersecurity Cybersecurity is everyone’s concern. The increasing
are judged as investments reducing risk, then the costs dependency on technology has only increased
of protecting a corporation against cyber threats will be vulnerability to it. That increased interconnectivity
seen as essential to good governance and will enhance has only exacerbated existing security threats around
shareholder value. the world.74
Despite these challenges, certain metrics, if properly The findings and recommendations of the symposium
defined, can prove useful in assessing legislative and on Cyber Threats to National Security – Countering
executive branch success in anticipating and countering Challenges to the Global Supply Chain are intended to
cyber threats to the national supply chain. advance a national dialogue on defining and examining
the nature of cyber attacks, and in particular, in exploring
As noted in the Government Accountability Office
the key area of supply chain security.
(GAO) Report on Cybersecurity, published March 5,
2010, “Measuring performance allows organizations to The next symposium in the Cyber Threats series is
track the progress they are making toward their goals.”71 being planned for Spring 2011. As details become final,
In the cybersecurity arena, benchmarks and milestone information will be posted to the Asymmetric Threat
reviews can be developed to track implementation website at www.asymmetricthreat.net.
progress and gauge the real-world effectiveness of
various activities. Cybersecurity initiatives such as those 74 Dr. J.P. (Jack) London, USNI-CACI symposium comments.
proposed by CSIS could assess effectiveness through
periodic testing and such approaches as evaluating the
success of “red team” attacks.72
Yet, although these measures will provide information

relevant to assessing an agency’s success in certain
areas, any serious effort to determine national success
must recognize that cybersecurity is “a process, not a
patch.”73 Modifications to the nation’s legislative and
regulatory cybersecurity apparatus, and the international
initiatives necessary to link the global community in
common defense, must continue over the long term,
as the cyber threat grows and evolves. Evaluating the
success of the collective response to global threats will
be a process equally as continuous and evolutionary.
71 GAO Report on Cybersecurity, March 5, 2010.

72 Ibid. The cyber domain holds both the source and the solution to cyber threats,
73 Professor Eugene Spafford, Purdue University, as quoted in and every individual has a role in acting responsibly as a cyber citizen.
James Fallows, “Cyber Warriors,” The Atlantic, March 2010. Graphic courtesy of CACI.

UNCLASSIFIED
Glossary images shot with camera phones distributed over the

Internet and viewed on computers are the business
processes used by children and jihadists, alike.
Asymmetric threat – A broad and unpredictable Council of Europe Convention on Cybercrime –

spectrum of risks, actions, and operations conducted by The first international treaty on crimes committed via
state and non–state actors that can potentially undermine the Internet and other computer networks. Its main
national and global security. objective is to pursue a common criminal policy
aimed at the protection of society against cybercrime,
Asymmetric warfare – Combat between two or especially by adopting appropriate legislation and
more state or non-state actors whose relative military fostering international cooperation. It was ratified in
power, strategies, tactics, resources, and goals differ Budapest in 2001 and went into effect on July 1, 2004.
significantly. See also http://conventions.coe.int/Treaty/EN/Treaties/
html/185.htm.
Botnet – A “robot network.” Generally regarded as a
collection of compromised computers (“robots”) operated Cybersecurity – The protection of data and systems
by remote command and control and running malicious in networks that are connected to the Internet by
software that the computer’s user is unaware of. See also preventing, detecting, and responding to attacks. See also
http://www.microsoft.com/protect/terms/botnet.aspx. the Department of Homeland Security’s U.S. Computer
Security Readiness Team website at http://www.us-cert.
Center for Strategic and International Studies
gov/cas/tips/ST04-001.html.
(CSIS) – A bipartisan, nonprofit public policy research
institution headquartered in Washington, DC. CSIS Cyberspace/Cyber domain – The information
conducts research and analysis and develops policy environment of the global network of information
initiatives for consideration by decision-makers in the technology infrastructures that includes the Internet,
public and private sector. See also http://csis.org. telecommunications networks, computer systems, and
embedded processors and controllers. The term was
Comprehensive National Cybersecurity Initiative
originated by author William Gibson in his 1984 novel
(CNCI) – Launched by President George W. Bush in
Neuromancer. See also Joint Publication 1, Doctrine
National Security Presidential Directive 54/Homeland
for the Armed Forces of the United States. Accessed at
Security Presidential Directive 23 in January 2008, the
http://www.dtic.mil/doctrine/new_pubs/jp1.pdf.
CNCI consists of a number of mutually reinforcing
initiatives designed to help secure the United States Cyberterrorism – The unlawful attacks and threats of
in cyberspace: CNCI-11, referenced in the text, is attack against computers, networks, and the information
to develop a multi-pronged approach for global stored therein when done to intimidate or coerce a
supply chain risk management. See also http://www. government or its people to further political or social
whitehouse.gov/cybersecurity/comprehensive-national- objectives.
cybersecurity-initiative.
Cyber actors – Any person or entity that communicates
Converged Computer and Communications or operates in cyberspace. In this white paper, special
Technologies – A phrase used to emphasize that reference is made to individuals, criminals and criminal
computer and communications devices today are not enterprises, terrorists, nation states, and corporations. A
distinct, though as recently as 25 years ago this was not distinction is also sometimes made between intentional
the case. At that time, even when computer network and unintentional cyber actors (the latter motivated by
data was sent over a communications network, the two criminal intent but who do not intend to damage national
were separate. Computers were not used as telephones, security). See also www.dtic.mil/cgi-bin/GetTRDoc?AD
and telephones were not used to do “data processing.” =ADA406949&Location=U2&doc=GetTRDoc.pdf.
Neither was used to watch video entertainment. Today,

UNCLASSIFIED
Cyber attack – Generally an act that uses computer initiative. Overseen by U.S. Customs and Border
code to disrupt computer processing or steal data, often Protection, C-TPAT is designed to build cooperative
by exploiting a software or hardware vulnerability or a relationships that strengthen and improve overall
weakness in security practices. Results include disrupting international supply chain and U.S. border security. See
the reliability of equipment, the integrity of data, and the also http://www.cbp.gov/xp/cgov/trade/cargo_security/
confidentiality of communications. As technologies and ctpat/what_ctpat/ctpat_overview.xml and http://www.
cyberspace capabilities evolve, the types and nature of supplychainsecurity.biz/index.htm.
cyber attacks are also expected to evolve, so that current
definitions should be viewed as foundational rather than Doctrine, Organization, Training, Material,
final. See also Botnets, Cybercrime, and Cyberterrorism: Leader Development, Personnel, and Facilities
Vulnerabilities and Policy Issues for Congress, (DOTMLPF) – The standard set of factors to be
Congressional Research Service Report for Congress, considered by the military when establishing a new
updated January 29, 2008. Accessed at http://www.fas.org/ national security capability. See also Joint Publication
sgp/crs/terror/RL32114.pdf. 1-02, Department of Defense Dictionary of Military and
Associated Terms.
(U.S.) Cyber Command – A subordinate unified
command under U.S. Strategic Command. It was Federal Information Security Management Act – Title
created in June 2009 and achieved initial operational III of the E-Government Act (Public Law 107-347)
capability in May 2010. Headquartered at Fort Meade, of 2002. It recognizes the importance of information
MD, it centralizes command of cyberspace operations security to the economic and national security interests
with service elements that include the Army Forces of the U.S. and requires each federal agency to develop,
Cyber Command; 24th USAF; Fleet Cyber Command; document, and implement an agency-wide program
and Marine Forces Cyber Command. See also the to provide information security for the information
Cyber Fact Sheet at http://www.defense.gov/home/ and information systems that support the operations
features/2010/0410_cybersec. and assets of that agency, including those provided
or managed by another agency, contractor, or other
Cyber criminals – Individuals or groups whose criminal source. See also http://csrc.nist.gov/groups/SMA/fisma/
conduct is primarily through or are dependent on overview.html.
operating through cyberspace/cyber domain.
Gilmore Commission – A federally chartered
Cyber manipulation – A cyber attack involving an commission formally known as the Advisory Panel to
information operation resulting in a compromise of the Assess Domestic Response Capabilities for Terrorism
operation or product delivered through a supply chain. Involving Weapons of Mass Destruction. Chaired
For example, products are delivered to the wrong place, by former Virginia Governor James S. Gilmore, the
at the wrong time, or not at all, or there is a quality or commission was formed in 1999 and made five reports
type problem. to the President and Congress between 1999 and 2003.
See also http://www.rand.org/nsrd/terrpanel.
Cyber terrorists – Those who commit acts of
cyberterrorism. Government Accountability Office (GAO) Report on
Cybersecurity – A report by GAO to Congress in which
Cyber threats – Natural or manmade incidents GAO provided requestors with (1) what actions have
(intentional or unintentional) that would be detrimental been taken to develop interagency mechanisms to plan
to the cyber domain, or which are dependent on or and coordinate Comprehensive National Cybersecurity
operate through cyberspace/cyber domain. Initiative (CNCI – see above) activities and (2) what
DHS Customs Trade Partnership Against Terrorism challenges CNCI faces in achieving its objectives related
(C-TPAT) – A voluntary government-business initiative to securing federal information systems. Published
considered the first worldwide supply chain security March 5, 2010. See also http://www.gao.gov/new.items/
d10338.pdf.

UNCLASSIFIED
Homeland Security Presidential Directive 23 (HSPD Supply chain – Starting with unprocessed raw
23) – One of two directives issued by President George materials and ending with the final customer using the
W. Bush in 2008 (the other being National Security finished goods, the supply chain links many companies
Presidential Directive 54, see below) that formalized a together. Also defined as the material and informational
series of continuous efforts to further safeguard federal interchanges in the logistical process stretching from
government systems and reduce potential vulnerabilities, acquisition of raw materials to delivery of finished
protect against intrusion attempts, and better anticipate products to the end user. All vendors, service providers
future threats. See also http://www.dhs.gov/xnews/ and customers are links in the supply chain. See also
releases/pr_1207684277498.shtm. http://cscmp.org/digital/glossary/glossary.asp.
Host-based security system (HBSS) – A system based Strategic communication – Focused government
on an approach to cybersecurity that shifts focus efforts to understand and engage key audiences to
from perimeter security and authentication controls create, strengthen, or preserve conditions favorable for
to internal factors. This includes reassessing physical the advancement of government interests, policies, and
and procedural security practices and considering objectives through the use of coordinated programs,
vulnerability assessments of systems, applications, plans, themes, messages, and products synchronized
and interactions with other hosts. See also http://www. with the actions of all instruments of national power.
windowsecurity.com/articles/Science_Host_Based_
Security.html. (U.S.) Transportation Command – Provides air, land,
and sea transportation for the Department of Defense.
ISO 28000 Series – The International Organization for Located at Scott Air Force Base, IL, the command
Standardization’s specification for security management is composed of three component commands: the
systems for the supply chain. See also http://www.iso. Army’s Military Surface Deployment and Distribution
org/iso/catalogue_detail?csnumber=44641. Command; the Navy’s Military Sealift Command; and
the Air Force’s Air Mobility Command. See also http://
National Security Presidential Directive 54 (NSPD www.transcom.mil.
54) – One of two directives issued by President George
W. Bush in 2008 (the other being Homeland Security World Customs Organization – An intergovernmental
Presidential Directive 23, see above) that formalized a organization exclusively focused on customs matters. It
series of continuous efforts to further safeguard federal works in areas that include supply chain security and the
government systems and reduce potential vulnerabilities, facilitation of international trade. See also http://www.
protect against intrusion attempts, and better anticipate wcoomd.org/home.htm.
future threats. See also http://www.dhs.gov/xnews/
releases/pr_1207684277498.shtm.
PKI (public key infrastructure) – Enables users of an

unsecure public network such as the Internet to securely
and privately exchange data and money through the
use of a public and private cryptographic key pair from
a trusted authority. Using the public and private keys,
individuals can protect information by encrypting
messages and digital signatures and providing for
a digital certificate of authenticity. See also http://
searchsecurity.techtarget.com/sDefinition/0,,sid14_
gci214299,00.html.

UNCLASSIFIED
Acknowledgments
Symposium Participants (alphabetical order)
Zalmai Azmi C.A. Dutch Ruppersberger (D-MD) Jeff Wright
Senior Vice President, U.S. House of Representatives Senior Vice President,
Enterprise Technologies and Services Group, Enterprise Technologies and Services Group,
CACI International Inc
Loretta Sanchez (D-CA) CACI International Inc
U.S. House of Representatives
Robert J. Carey
Chief Information Officer, William S. Wallace Editor
Department of the Navy General, USA (Ret); CACI Board of Directors Michael Pino
David M. Wennergren Publications Principal,
Edward J. Case
Deputy Assistant Secretary of Defense for CACI International Inc
Acting Director, Information Operations,
Chief Information Officer, Defense Logistics Information Management and Technology and
Agency DoD Deputy Chief Information Officer Reviewer
Steven R. Chabinsky Thomas L. Wilkerson Z. Selin Hur
Major General, USMC (Ret); Strategic Programs Development, Principal,
Deputy Assistant Director, Cyber Division,
Chief Executive Officer, USNI CACI International Inc
Federal Bureau of Investigation
Claude V. “Chris” Christianson Authors Graphic Design
Lieutenant General, USA (Ret); Director of
the Center for Joint and Strategic Logistics, Hilary Hageman Chris Impink
Vice President, Legal Division, CACI Graphic Artist, CACI International Inc
National Defense University
International Inc
Paul Cofoni Art Direction
President and Chief Executive Officer, Ian Harper
CACI International Inc Senior Director, Enterprise Technologies and
Steve Gibson
Creative Director, CACI International Inc
Services Group, CACI International Inc
Gordon R. England
Former Deputy Secretary of Defense and Stan Poczatek
Philip M. Sagan, Ph.D. Senior Designer, CACI International Inc
former Secretary of the Navy Executive Director, National Solutions Group,
James S. Gilmore, III Publisher and Editor-in-Chief
Former Governor of the Commonwealth of Alan Weyman
Virginia; CACI Board of Directors Dr. J.P. (Jack) London
Vice President, Enterprise Technologies and Executive Chairman, CACI
Vergle Gipson Services Group, CACI International Inc International Inc; Former CEO,
Chief of the Analysis Office, National Security CACI International Inc
Agency/Central Security Service Threats Advisors
Operation Center Zalmai Azmi Communications Executive
Jim R. Langevin (D-RI) Senior Vice President, Jody Brown
U.S. House of Representatives Enterprise Technologies and Services Group, Executive Vice President,
CACI International Inc Public Relations,
Dr. J.P. (Jack) London
Executive Chairman, CACI Paul Cofoni CACI International Inc
International Inc; Former CEO, President and Chief Executive Officer,
CACI International Inc CACI International Inc Program Managers
Dr. Bruce McConnell Chas Henry Philip M. Sagan, Ph.D.
Counselor to the National Protection Executive Director of Communications, USNI Executive Director, National Solutions Group,
and Programs Directorate Deputy Under CACI International Inc
Secretary, Department of Homeland Security Dr. J.P. (Jack) London
Executive Chairman, CACI
Jeff Wright
Dr. Warren Phillips Senior Vice President,
International Inc; Former CEO,
Professor Emeritus, University of Maryland; Enterprise Technologies and Services Group,
CEO/COB, Advanced Blast Protection; CACI CACI International Inc
Board of Directors Dr. Warren Phillips Cyber Threats to National Security –
Professor Emeritus, University of Maryland;
Tom Ridge Countering Challenges to the Global
CEO/COB, Advanced Blast Protection; CACI
Former Secretary of the Department of Supply Chain was held on March 2, 2010
Board of Directors
Homeland Security at Fort Myer, Arlington, Virginia.

UNCLASSIFIED
For more information on the Asymmetric Threat symposia series, visit
http://asymmetricthreat.net
The site includes downloadable white papers from each symposium and serves
as a knowledge network to advance the dialogue on national and global security,
presenting resources and original research, and providing a forum for review and
discussion of pertinent themes and events.
July 2010

®
U.S. Naval Institute CACI International Inc

291 Wood Road 1100 North Glebe Road
Annapolis, Maryland 21402 Arlington, Virginia 22201
(410) 268-6110 (703) 841-7800
www.usni.org www.caci.com
© CACI 2010

Asymmetric Threat 4 Paper

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Asymmetric Threat 4 Paper

Загружено:

Авторское право:

Доступные форматы

D E A L I N G W I T H T O D A Y ’ S A S Y M M E T R I C T H R E AT

Countering Challenges to the

Global Supply Chain

© 2010 CACI International Inc UNCLASSIFIED H 1

2 H UNCLASSIFIED © 2010 CACI International Inc

1 Introduction 1.1 An Unprecedented

U.S. warfighting and national security prowess have

© 2010 CACI International Inc UNCLASSIFIED H 3

“Cybersecurity has the same reach as homeland

5 Chabinsky, op. cit.

4 H UNCLASSIFIED © 2010 CACI International Inc

compromised. Currently, supply chain users around

The U.S. government, which sponsored the development

While the U.S. government is a large user, perhaps

6 Chabinsky and Vergle Gipson, CACI-USNI symposium 8 Ibid.

© 2010 CACI International Inc UNCLASSIFIED H 5

The government also needs to work closely with

the private sector for a truly comprehensive cyber

response. The private sector is the source of most cyber

Finally, the government must commit to a strategic

6 H UNCLASSIFIED © 2010 CACI International Inc

© 2010 CACI International Inc UNCLASSIFIED H 7

• Corporations. Industrial espionage has developed in

8 H UNCLASSIFIED © 2010 CACI International Inc

The amount of damage that can be done by a cyber

Among other important asymmetries associated with the

• Defenders need to be successful always and

© 2010 CACI International Inc UNCLASSIFIED H 9

affect the morale of society through diffuse attacks on

2.2.2 Impact on the Private Sector

2.2.1 Impact on Government Outsourcing data centers to locations abroad is another

10 H UNCLASSIFIED © 2010 CACI International Inc

3 Securing Supply Chains

The consequence is that the impacts on government,

© 2010 CACI International Inc UNCLASSIFIED H 11

There are very few acquisition systems that track an end

Rather than a global systems assessment, the practical

12 H UNCLASSIFIED © 2010 CACI International Inc

© 2010 CACI International Inc UNCLASSIFIED H 13

all other supply chains are insecure by inheritance. It is

However, when considering the threat to society, it is

From the time raw materials are obtained to build

• Use of PKI and other strong authentication

• Use of detection, prevention, and remediation

14 H UNCLASSIFIED © 2010 CACI International Inc

Do the system integrators research where the individual

Cyber warriors know no borders. While our supply

• Exfiltrating technical data for prime weapons

© 2010 CACI International Inc UNCLASSIFIED H 15

There are several aspects that might be included. First

16 H UNCLASSIFIED © 2010 CACI International Inc

4 The Way Forward:

CNCI-11 addresses many of these issues from a

34 Catherine A. Theohary and John Rollins, “Cybersecurity: Current

© 2010 CACI International Inc UNCLASSIFIED H 17

adjunct would be to create a cybersecurity “reserve

Such initiatives will require the authorization and

18 H UNCLASSIFIED © 2010 CACI International Inc

© 2010 CACI International Inc UNCLASSIFIED H 19

establishing the range of potential responses. Although it

The rules of engagement, including the parameters of a

20 H UNCLASSIFIED © 2010 CACI International Inc

4.3 A Private-Public Partnership